2. Index
What is Computer Forensics
Objective of Computer Forensics
Why Computer Forensics
History of Computer Forensics
How it approaches
Steps of Investigation
What not to do during Investigation
Computer Forensics Techniques
4. What is Computer Forensics
Computer forensics is considered to be the
use of analytical and investigative
techniques to identify, collect, examine
and preserve evidence/information which
is magnetically stored or encoded
6. Why Computer Forensics?
- Employee internet abuse
- Unauthorized disclosure of corporate information and
data
- Industrial espionage
- Damage assessment
- Criminal fraud and deception cases
- More general criminal cases
- and countless others!
7. History of Computer Forensics
Bankruptcy in Enron in December 2001
Hundreds of employees were left jobless while some
executives seemed to benefit from the company's
collapse.
The United States Congress decided to investigate and
A specialized detective force began to search through
hundreds of Enron employee computers using
computer forensics.
8. How it approaches?
-Secure the subject system (from tampering during the
operation)
-Take a copy of hard drive (if applicable)
-Identify and recovery all files (including those deleted)
- Access/copy hidden, protected and temporary files
-Study 'special' areas on the drive (eg: residue from
previously deleted files)
- Investigate data/settings from installed
applications/programs
9. How it approaches….cont
-Assess the system as a whole, including its structure
- Consider general factors relating to the users activity
- Create detailed report. Throughout the investigation, it
is important to stress that a full audit log of your
activities should be maintained.
10. Steps of Investigation
Secure the computer system to ensure that the equipment
and data are safe
Find every file on the computer system
Recover as much deleted information as possible using
applications
Reveal the contents of all hidden files with programs
designed to detect the presence of hidden data
Decrypt and access protected files
11. Cont…
Analyze special areas of the computer's disks
Document every step of the procedure
Be prepared to testify in court as an expert
witness in computer forensics
12. What should not be done
during investigation?
-Avoid changing date/time stamps (of files for example)
or changing data itself
-Overwriting of unallocated space (which can happen on
re-boot for example). 'Study don't change' is a useful
catch-phrase.
14. Anti-Forensics : The Nightmare
Programmers design anti-forensic tools to make it hard
or impossible to retrieve information during an
investigation
Dozens of ways people can hide information
15. Anti-Forensics…..contd.
Some programs can fool computers by changing the
information in files' headers
Programs can divide files up into small sections and
hide each section at the end of other files
Programs called packers can insert executable files into
other kinds of files
Encryption is another way to hide data
Changing the metadata attached to files
Some computer applications will erase data if an
unauthorized user tries to access the system
16. Computer Forensics Tools
Disk imaging software
Software or hardware write tools
Hashing tools
File recovery programs
Programs to preserve information in RAM
Encryption decoding software
Password cracking software
17. Advantages of Computer Forensics
Ability to search
through a massive
amount of data
Quickly
Thoroughly
In any language
18. Disadvantages of
Computer Forensics
Digital evidence
accepted into court
must prove that there is no
tampering
all evidence must be fully
accounted for
computer forensic specialists
must have complete knowledge
of legal requirements, evidence
handling and storage and
documentation procedures
19. Disadvantages of
Computer Forensics
Costs
producing electronic records & preserving them is
extremely costly
Presents the potential for exposing privileged
documents
Legal practitioners must have extensive
computer knowledge
20. Conclusion
With computers becoming more and more
involved in our everyday lives, both
professionally and socially, there is a need for
computer forensics. This field will enable crucial
electronic evidence to be found, whether it was
lost, deleted, damaged, or hidden, and used to
prosecute individuals that believe they have
successfully beaten the system.